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Background of the Invention 
Cross-Reference to Related Applications 

[0001] This application is a continuation-in-part of U.S. Patent Application 

No. 10/404,916 titled "Method and Apparatus for Composing Multimedia 
Documents/' filed March 31, 2003, the disclosure of which is incorporated by 
reference. 

[0002] This application is a continuation-in-part of U.S. Patent Application 

No. 10/404,927 titled "Multimedia Document Sharing Method and Apparatus," 
filed March 31, 2003, the disclosure of which is incorporated by reference. 
[0003] This application is a continuation-in-part of U.S. Patent Application 

No. 10/639,282 titled "Physical Key for Accessing a Securely Stored Digital 
Document," filed August 11, 2003, the disclosure of which is incorporated by 
reference. This application is also a continuation-in-part of U.S. Patent 
Application No. 10/665,097 titled "Action Stickers For Identifying And 
Processing Stored Documents," filed September 16, 2003, the disclosure of which 
is incorporated by reference. 
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[0004] This application is related to the following commonly owned and 
co-pending U.S. patent applications, the disclosures of which are incorporated by 
reference: 

• U.S. Patent Application No. 09/533,252 tided "Method and 
System for Information Management to Facilitate the Exchange 
of Ideas During a Collaborative Effort," filed March 8, 2000; 

• U.S. Patent Application No. 10/001,895 titled "Paper-Based 
Interface For Multimedia Information," filed November 19, 
2001; 

• U.S. Patent Application No. 10/081,129 titled "Multimedia 
Visualization & Integration Environment," filed February 21, 
2002; 

• U.S. Patent Application No. 10/085,569 titled "A Document 
Distribution and Storage System," filed February 26, 2002; 

• U.S. Patent Application No. 10/174,522 titled "Television-based 
Visualization and Navigation Interface," filed June 17, 2002; 

• U.S. Patent Application No.10/ 175,540 titled "Device For 
Generating A Multimedia Paper Document," filed June 18, 2002; 
and 
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• U.S. Patent Application No. 10/307,235 titled "Multimodal 
Access of Meeting Recordings/' filed November 29, 2002. 

Field of the Invention 

[0005] The present invention relates generally to document management, 

and more specifically to mechanisms for accessing, manipulating, and 
disseminating collections of documents. 

Background of the Invention 

[0006] Despite the ideal of a paperless environment that the 

popularization of computers had promised, paper continues to dominate the 
office landscape. Ironically, the computer itself has been a major contributing 
source of paper proliferation. The computer simplifies the task of document 
composition, and thus has enabled even greater numbers of publishers. The 
computer promotes individual expression through the use of graphics tools, 
image capture devices, image enhancement tools, and so on, in addition to 
traditional text editing. Oftentimes, documents must be shared among 
colleagues, thus generating even more paper. 

[0007] Despite advances in technology, practical substitutes for paper 

remain to be developed. Computer displays, PDAs (personal digital assistants), 
wireless devices, and the like all have their various advantages, but they lack the 
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simplicity, reliability, portability, relative permanence, universality, and 
familiarity of paper. In many situations, paper remains the simplest and most 
effective way to store and distribute information. 

[0008] The conveniences and advantages that paper offers signal that its 

complete replacement is not likely to occur soon, if ever. Perhaps then, the role 
of the computer is not to achieve a paperless society. Instead, the role of the 
computer may be as a tool to move effortlessly between paper and electronic 
representations and maintain connections between the paper and the electronic 
media with which it was created. 

[0009] In United States Patent Number 5,754,308, "System and Method for 
Archiving Digital Versions of Documents and for Generating Quality Printed 
Documents Therefrom/' Lopresti et al. describe one method for moving between 
paper and electronic representations. The system uses an enhanced copier to 
scan a document information designator present on each page that uniquely 
identifies that page and enables retrieval of a stored digital representation of that 
page for output. This system requires hard copies of each page to be used for 
retrieval and does not guarantee security during the storage or retrieval 
processes. 

[001 0] Related, commonly owned applications for "Method and 
Apparatus for Composing Multimedia Documents/' and "Multimedia Document 
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Sharing Method and Apparatus/' the disclosures of which are incorporated 
herein by reference, describe techniques for organizing multimedia documents 
into one or more collections. A collection coversheet representative of the 
collection can be printed on a suitable medium, such as paper. This coversheet 
can provide access to the collection by using a multi-function peripheral (MFP). 
In this way, individuals can share multimedia documents in the collection by 
distributing copies of the coversheet to recipients. 

[001 1] It is desirable to simplify the process of creating and manipulating 

document collections, so as to encourage users to make more effective use of 
such electronic storage mechanisms. Existing techniques provide user interfaces 
allowing users to specify, via input devices such as buttons and touchscreens, 
what operations are desired. However, what is needed is a system and method 
that simplifies operation of the system by allowing a user to specify desired 
operations without having to learn or use a user interface. 
[0012] In many situations, users may wish to add annotations to stored 

documents and collections. What is needed is a mechanism for automatically 
reading such annotations, processing them if appropriate, and adding them to 
the electronically stored copies of documents and collections. What is further 
needed is a mechanism for performing such operations in a simple, easy-to-use 
way. 



Case 7973 - 5 - 

20412/07973/DOCS/1367371.5 



[0013] Often, a user wishes to provide different levels of access to a 

document or collection to different individuals. What is needed is a mechanism 
for providing such different levels of access for different users, while 
maintaining the convenience of using coversheets to provide access to 
collections. 

Summary of the Invention 

[0014] According to one aspect, the present invention simplifies the 

process of inputting documents into a collection. Rather than specifying a 
collection organization and hierarchy via a user interface, the user simply 
arranges the documents in an order that represents the desired organization. 
The system of the present invention interprets the order in which documents are 
presented upon input, and arranges the documents in a particular organization 
and hierarchy according to the presented order. 

[001 5] For example, if the first document identifies an existing collection, 

subsequent documents are added to the identified existing collection. If the first 
document does not identify a collection, the first document and subsequent 
documents are added to a new collection. If, in either of these processes, a 
subsequent document identifies a collection, the identified collection is added as 
a subcollection (or, alternatively, the documents within the second collection are 
individually added to the first collection). 
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[001 6] According to another aspect, the present invention provides an 

input mechanism for accepting and storing annotations provided by a user. As 
described in related applications referenced above, a collection coversheet 
representative of the collection is printed on a suitable medium, such as paper for 
example. According to this aspect of the invention, the user can annotate the 
collection coversheet, for example by writing on it with an ordinary pen or 
pencil. The coversheet (or other piece of paper containing annotations) is then 
scanned, and the user's annotations re added to the collection. 
[001 7] According to another aspect, the present invention provides a 

mechanism for granting different levels of access to a collection or document to 
different individuals. As described in related applications referenced above, a 
collection coversheet representative of the collection is printed on a suitable 
medium, such as paper for example; the coversheet then provides access to the 
collection. According to this aspect of the invention, the coversheet also specifies 
a level of access, such as read-only access, add-only access, or full permission. 
Upon scanning the coversheet, the system of the invention grants the level of 
access specified by the coversheet. 

[001 8] Thus, users can share documents in the collection by distributing 

copies of coversheets to recipients, and the recipients can be granted differing 
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levels of access to the collection according to indicators on their respective 
coversheets. 

[001 9] Further features of the invention, its nature and various advantages 

will be more apparent from the accompanying drawings and the following 
detailed description. 



Brief Description of the Drawings 

[0020] The accompanying drawings illustrate several embodiments of the 

invention and, together with the description, serve to explain the principles of 
the invention. 

[0021 ] Fig. 1 A is a pictorial representation showing a multi-function 

peripheral and associated devices as can be used in one embodiment of the 
present invention. 

[0022] Fig. IB is a pictorial representation of a control panel for a multi- 
function peripheral. 

[0023] Fig. 2 is a block diagram depicting an overall architecture for 
practicing the present invention according to one embodiment. 
[0024] Fig. 3 is an example of a sequence of documents for adding material 

to an existing collection. 
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[0025] Fig. 4 is an example of a sequence of documents for creating a new 

collection. 

[0026] Fig. 5A depicts an example of an empty collection coversheet in 

accordance with an embodiment of an aspect of the present invention. 

[0027] Fig. 5B depicts an example of a non-empty collection coversheet in 

accordance with an embodiment of an aspect of the present invention. 

[0028] Fig. 6 is an example depicting three collection identifiers pointing 

to the same directory. 

[0029] Fig. 7 depicts an example of a separator page for separating 
documents for individual storage. 

[0030] Fig. 8 is a flow chart depicting a method for using document order 

to determine collection organization and hierarchy, according to one 
embodiment. 

[0031] Fig. 9 is a flow chart depicting a method for adding notes to a 

collection, according to one embodiment. 

[0032] Fig. 10A is a flow chart depicting a method for creating limited 

access coversheets, according to one embodiment. 

[0033] Fig. 10B is a flow chart depicting a method for using a limited 

access coversheet to access a collection, according to one embodiment. 
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[0034] Fig. 11 is a flowchart depicting a method of determining an access 

level according to region. 

[0035] Fig. 12 depicts an example of a collection having multiple 

permission regions. 

Detailed Description of the Embodiments 

[0036] The present invention is now described more fully with reference 

to the accompanying Figures, in which several embodiments of the invention are 
shown. The present invention may be embodied in many different forms and 
should not be construed as limited to the embodiments set forth herein. Rather 
these embodiments are provided so that this disclosure will be complete and will 
fully convey the invention to those skilled in the art. 
[0037] In the following description, for purposes of explanation, 

numerous specific details are set forth in order to provide a thorough 
understanding of the invention. It will be apparent, however, to one skilled in 
the art that the invention can be practiced without these specific details. In other 
instances, structures and devices are shown in block diagram form in order to 
avoid obscuring the invention. 

[0038] Reference in the specification to "one embodiment" or "an 

embodiment" means that a particular feature, structure, or characteristic 
described in connection with the embodiment is included in at least one 
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embodiment of the invention. The appearances of the phrase "in one 
embodiment 7 ' in various places in the specification are not necessarily all 
referring to the same embodiment. 

[0039] Some portions of the detailed description that follows are presented 

in terms of algorithms and symbolic representations of operations on data bits 
within a computer memory. These algorithmic descriptions and representations 
are the means used by those skilled in the data processing arts to most effectively 
convey the substance of their work to others skilled in the art. An algorithm is 
here, and generally, conceived to be a self-consistent sequence of steps leading to 
a desired result. The steps are those requiring physical manipulations of 
physical quantities. Usually, though not necessarily, these quantities take the 
form of electrical or magnetic signals capable of being stored, transferred, 
combined, compared, and otherwise manipulated. It has proven convenient at 
times, principally for reasons of common usage, to refer to these signals as bits, 
values, elements, symbols, characters, terms, numbers, or the like. 
[0040] It should be borne in mind, however, that all of these and similar 

terms are to be associated with the appropriate physical quantities and are 
merely convenient labels applied to these quantities. Unless specifically stated 
otherwise as apparent from the following discussion, it is appreciated that 
throughout the description, discussions utilizing terms such as ''processing 77 or 
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"computing" or "calculating" or "determining" or "displaying" or the like, refer 
to the action and processes of a computer system, or similar electronic computing 
device, that manipulates and transforms data represented as physical (electronic) 
quantities within the computer system's registers and memories into other data 
similarly represented as physical quantities within the computer system 
memories or registers or other such information storage, transmission or display 
devices. 

[0041 ] The present invention also relates to an apparatus for performing 

the operations herein. This apparatus may be specially constructed for the 
required purposes, or it may comprise a general-purpose computer selectively 
activated or reconfigured by a computer program stored in the computer. Such a 
computer program may be stored in a computer readable storage medium, such 
as, but is not limited to, any type of disk including floppy disks, optical disks, 
CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random 
access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any 
type of media suitable for storing electronic instructions, and each coupled to a 
computer system bus. 

[0042] The algorithms and modules presented herein are not inherently 

related to any particular computer or other apparatus. Various general-purpose 
systems may be used with programs in accordance with the teachings herein, or 
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it may prove convenient to construct more specialized apparatuses to perform 
the required method steps. The required structure for a variety of these systems 
will appear from the description below. In addition, the present invention is not 
described with reference to any particular programming language. It will be 
appreciated that a variety of programming languages may be used to implement 
the teachings of the invention as described herein. Furthermore, as will be 
apparent to one of ordinary skill in the relevant art, the modules, features, 
attributes, methodologies, and other aspects of the invention can be implemented 
as software, hardware, firmware or any combination of the three. Of course, 
wherever a component of the present invention is implemented as software, the 
component can be implemented as a standalone program, as part of a larger 
program, as a plurality of separate programs, as a statically or dynamically 
linked library, as a kernel loadable module, as a device driver, and/ or in every 
and any other way known now or in the future to those of skill in the art of 
computer programming. Additionally, the present invention is in no way 
limited to implementation in any specific operating system or environment. 
[0043] In this application, the term ''document' 7 refers to any collection of 

information capable of being stored electronically, including but not limited to 
text, word processing and spreadsheet files, e-mail messages, voice and audio 
recordings, images and video recordings. 
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[0044] The terms "paper", "paper medium", or "sheet" as used in this 

application are intended to refer to any tangible medium on which information 
can be formed whether by a printing process, written, drawn, imprinted, 
embossed, etc. For purposes of this invention, the term "printing" is intended to 
encompass all manner of forming images on an image-bearing medium whether 
by optical, mechanical, thermal, or electrical methods, or combinations thereof. 
[0045] The term "collection" refers to one or more groups of electronic 

documents or media that might include digital images, audio recordings, 
scanned images from pages of a document, and/ or files such as Microsoft Word 
documents or Microsoft Excel spreadsheets. Collections can also contain 
pointers to other collections. Collections can include user-provided markings, 
annotations, and the like. Collections can also include metadata representing 
related information such as date of creation, modification date, access 
permissions, and the like. 

[0046] For purposes of the following description, a collection is stored on a 
collection server (or other storage device). Each collection has a specific, unique 
address or identifier, such as a uniform resource locator (URL), which provides a 
pointer to the collection. References herein to a pointer, collection identifier, or 
distributed resource identifier (DRI) can be considered to refer to a URL or any 
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other mechanism, tag, handle, pointer, or technique for identifying a file, 
collection, directory, or other group of files. 

[0047] As described in the above-referenced related patent applications, a 

coversheet can be generated for a collection. The coversheet includes a 
representation of the contents of the collection with, in one embodiment, an 
overview image showing thumbnails that represent all of the documents in the 
collection, and a representation of the unique identifier for the collection. In one 
embodiment of the present invention, the techniques described herein are 
combined with the coversheet methods and systems described in the related 
patent applications. 

System Architecture 

[0048] Referring now to Fig. 1A, there is shown a pictorial representation 

of an illustrative embodiment showing the various components that are part of 
the present invention. Referring also to Fig. 2, there is shown a corresponding 
block diagram, containing various functional components. Multi-function 
peripheral (MFP) 100 is connected through a network 200 to collection server 108 
for storing collections 105 of documents 104. MFP 100 provides functionality for 
creating and modifying collections 105, and for communicating with server 108 
for the purpose of transmitting and receiving collections 105 and documents 104. 
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[0049] For illustrative purposes, Figs. 1 A and 2 depict several different 

data capture devices. In a particular embodiment, a MFP 100 scans documents 
104 and coversheets 102 via scanner 302 (scanner 302 is not shown in Fig. 1 A, as 
it is internal to MFP 100). Additional capture devices include but are not limited 
to microphones 110, digital cameras 112, video cameras 114, memory cards and 
other removable media 116, as well as additional devices (not shown). Any or all 
of devices 110, 112, 114, 116, as well as collection server 108, can be connected 
directly to MFP 100 or can be connected via network 200. Documents 104 and 
collections 105 can also be received and transmitted via fax, e-mail, or other 
communication means. MFP 100 also has the ability to output documents 104 
and coversheets 102 by printing them via printer 304 (printer 304 is not shown in 
Fig. 1 A, as it is internal to MFP 100). 

[0050] MFP 100 also includes, in one embodiment, control panel 106 that 

provides a user interface for controlling MFP 100. Referring momentarily to Fig. 
IB, there is shown an example of a control panel 106 for MFP 100. Control panel 
106 may include, for example, any or all of keypad 118, buttons (not shown), and 
touchscreen displays 120. In one embodiment, control panel 106 also provides 
feedback to the user through display 120 and indicator lights 122. For example, 
control panel 106 may indicate a current state of MFP 100, or might indicate the 
task or action currently being performed by MFP 100. 
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[0051] Also shown in Fig. 2 is collection 105, including documents 104, 

and collection coversheet 102. As described in the above-referenced related 
applications, coversheets 102 provide a convenient mechanism for accessing, 
retrieving, and distributing documents 104 and collections 105. The present 
invention provides several enhancements and improvements to the functionality 
and usage of MFP 100 in connection with coversheets 102, documents 104, and 
collections 105. 

[0052] Additional details concerning the architecture and operation of 

MFP 100 are provided in the above-referenced related applications, the 
disclosures of which are incorporated herein by reference. 

Collections and Coversheets 

[0053] Referring now to Fig. 5A, there is shown an example of a collection 

coversheet 102 for an empty collection 105. An empty collection 105 contains no 
documents 104, and is essentially a placeholder for storing documents 104 in the 
future. 

[0054] Referring now to Fig. 5B, there is shown a collection coversheet 102 

for a collection 105 having seven documents 104 and one subcollection pointer 
5105. Three documents 104 are images from a digital camera, four documents 
104 are scanned pages from MFP 100, and subcollection pointer 5105 is a pointer 
to another collection 105 containing two documents 104. Collection overview 506 
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provides an overall representation of collection 105, including thumbnails of the 
documents 104 and subcollection pointer 5105 therein. 

[0055] In one embodiment, collection coversheet 102 is a piece of paper 

that includes several elements: header 502, machine-readable bar code 504, 
human-readable collection identifier or pointer 510, and collection overview 506. 
In addition, coversheet 102 includes area 508 in which the user may write 
annotations. As will be described in more detail below, such annotations can be 
scanned by MFP 101 and added to collections 105 according to the techniques of 
the present invention. 

[0056] In one embodiment, header 502 contains printed information about 

collection 105, including for example: the author; a list of zero, one or more 
individuals to be notified if the collection 105 is modified; time and date 
information of collection 105 creation, modification, and/ or printout; and 
collection 105 topic or subject. 

[0057] One skilled in the art will recognize that the present invention can 

be implemented using other types and arrangements of coversheets 102, and that 
such coversheets 102 may be provided on media other than paper. 

Collection Identifier 

[0058] As described in the related applications, machine-readable bar code 

504 contains an encoded representation of a unique pointer to collection 105 on 
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collection server 108. This pointer is referred to herein as a distributed resource 
identifier (DRI). When presented in human-readable form 510, a DRI can take on 
a form similar to a uniform resource locator (URL) as is commonly used to 
identify documents in the World Wide Web. In one embodiment, the present 
invention uses DRIs as unique collection pointers. DRIs are globally unique, 
difficult to guess, and can provide access to collections from remote locations, via 
a network such as the Internet. 

[0059] Within this description, the terms ''pointer' 7 , "collection identifier", 
"distributed resource identifier", and "DRI" are used interchangeably to 
represent a unique identifier that points to a stored collection 105 (or, in some 
cases, to a document 104). In some cases, more than one identifier points to the 
same collection 105, in order to provide different ways of accessing that 
collection 105. Identifiers can be represented in human-readable form and/or 
machine-readable form. 

[0060] The DRI for a collection 105 may point to a directory that contains 
the collection of documents as well as information used to build the collection 
overview and some additional metadata. A DRI can also point directly to an 
individual document 104. 

[0061 ] Bar code representation 504 of a DRI allows for automated access to 
the collection without requiring the user to manually enter the location; rather, 
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MFP 100 scans coversheet 102 to obtain the DRI. It will be appreciated, of course, 
that any machine-readable indicium can be used instead of bar code 504; in one 
embodiment, MFP 100 employs optical character recognition (OCR) to read a 
human-readable representation 510 of a DRI. 

[0062] Since a collection 105 can include several documents 104, the DRI is 
often a directory reference rather than a reference to a particular file. For 
example, in an operating system such as Unix, the DRI can be a directory 
reference such as /usr/ collection. Alternatively, the DRI can refer to a file that in 
turn leads to an identification of the constituent elements (documents 104) of a 
collection 105. In still another alternative, the DRI can be a reference to a 
database that stores collection 105. It will be appreciated that many other 
alternatives for storing collections of information may be used. 
[0063] In accordance with an aspect of the invention, the text of the DRI 
510 may be made up of a string of characters that includes a random text 
component. This randomly generated text provides a measure of security; it 
helps prevent access to a collection because it is non-intuitive and virtually 
impossible to guess. Identifying a collection with an identifier that has no 
correlation to the content of the collection may present a strong impediment to 
hacking attempts; the hacker simply has no idea where the collection may be 
located, or that the collection even exists. 
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[0064] The example DRI "/ root/ usr/ collection" assumes a single-machine 

architecture. In a more generalized configuration of two or more machines, the 
DRI can include a machine name component. For example, a URL format for 
identifying World Wide Web pages might be used. In accordance with this 
particular embodiment of the invention, the DRI constitutes the path portion of 
the URL. Purely by convention, the path portion uses the following naming 
format according to a particular embodiment of this aspect of the present 
invention: 

.../-DDS- /ORIGIN/..., 
[0065] where. 

[0066] DDS is the name of a particular repository of collections 105; and 

[0067] ORIGIN is the fully-qualified hostname of the origin server for the 

collection 105 identified by the DRI. 

[0068] Thus, for example, suppose a collection 105 is identified by the 
following URL: 

http : / /machinel . com/-msg- 
/machine2 . com/2002/1022/398hy9y8h8#$30er#/l/ 

[0069] The domain corresponding to the machine that stores collection 105 
is identified by "machinel.com/' The path portion refers to a collection 105 
stored in a repository named "-msg-." The original collection 105 (i.e., its place of 
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creation) is located on a machine named "machine2.com." Thus, in this case, 
"machine!" contains a copy of the collection 105. In this particular embodiment 
of the invention, collections 105 are contained in directories, though other data 
storage conventions can be used; for example, collections 105 can be stored and 
managed in a database. The collection 105 shown in the example above is stored 
in a directory called: 

V2002/1022/398hy9y8h8#$30er#/l/" 
[0070] The string "398hy9y8h8#$30er#" represents randomly generated 

text. Finally, as will be discussed below, the directory represented by the 
terminal pathname "/l/" refers to the first (initial, original, base, etc.) version of 
the collection 105. 

[0071 ] In this particular embodiment, both the host machine ("machinel") 

and the origin machine ("machine2") use the following directory structure and 
URL naming structure. The host machine has a directory called "-msg-" 
contained in a directory for storing collections 105. The "-msg-" directory has a 
sub-directory called "machine2.com" which contains all the collections 
originating on "machine2.com." Generally, a sub-directory is provided for each 
machine that can be an originator of a collection. 

[0072] A DRI represents a collection 105 by providing a unique, secure 
pointer to a directory or to a file within that directory on a collection server 108. 
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Given the DRI, a person or machine has enough information to access the 
collection 105. 

[0073] It is possible to modify a collection 105, for example, by adding new 

documents 104; adding, deleting, or modifying annotations (as will be described 
in more detail below); or modifying or deleting existing documents 105. In one 
embodiment, when a collection 105 is modified, the terminal pathname in the 
collection 105 is incremented so that the original collection 105 with the original 
DRI is unchanged and the new collection 105 is placed in a new directory. This 
allows a DRI to always point at the same unmodified collection 105 and at the 
same time, make newer versions of the collection 105 easy to find. Symbolic 
links, or // aliases ,/ , can be established between files representing documents 104, 
so that a single data file can appear to be located in two separate directories. 
Using such links, different versions of a collection 105 can be built without 
duplicating any data files because a file that appears in the /l/ and the /2/ 
version can be linked rather than duplicated. 

[0074] Accordingly, in one embodiment, when a collection 105 is 

modified, a new directory is created (such as /2/) and symbolic links in /2/ are 
created that point to files in /!/ . Files need not be duplicated. New files added 
to the new version of the collection 105 reside directly in /2/, and files which 
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were in /l/ and are not in /2/ remain without links. The annotations, overview, 
and metadata in /2/ are modified appropriately. 

Inputting Documents 

[0075] The present invention provides improved techniques for allowing a 
user to create new collections 105 and to populate existing collections 105 with 
documents 104. New collections can be created as follows: The user can input 
data from paper documents 104 by placing the documents 104 on an automatic 
document feeder (not shown) for scanning by scanner 302 of MFP 100. The user 
can input documents 104, images, or other files or data from electronic media 
such as a memory card by placing the media 116 in an appropriate reader (not 
shown) connected to MFP 100. According to techniques described in more detail 
below, the user places the documents 104 or other data in a particular order to 
indicate that a new collection 105 should be created; in response, MFP 100 
proceeds to retrieve any media placed on or in MFP 100 by the user or recorded 
by the user. Those skilled in the art will understand that it is possible to find 
media by checking sensors, activating scanners, or searching file systems on 
connected memory cards. MFP 100 stores all the retrieved media in the newly 
created collection. 
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Including an Existing Collection in a New Collection 

[0076] As documents 104 are input into a collection 105, MFP 100 searches 

the documents for machine-readable indicia containing DRIs 504. Techniques for 
locating barcodes in images are known in the art and available from a variety of 
sources. MFP 100 can recognize that a page containing a DRI represents a 
collection 105. As described in more detail below, MFP 100 can be programmed 
such that inserting a page with a DRI into any collection 105, new or existing, is 
understood as a request to add that collection 105 to the new collection 105. In 
other words, the page containing the DRI represents a request to add the 
collection 105 pointed to by that DRI to the collection 105 currently being created 
or added to. In one embodiment, the overview image of that collection 105 is 
retrieved and added as a thumbnail to the new collection 105 and the subject of 
that collection 105 is used as the title for the thumbnail. 

Separating Documents 

[0077] As a user is creating a new collection 105 or adding to an existing 

collection 105, it may be desired to rapidly input a series of documents 104 to 
MFP 100. A separator page 2601, an example of which is shown in Fig. 7, can be 
used to denote the end of one document 104 and the beginning of a new 
document 104. MFP 100 detects separator page 2601 and, thereby recognizes that 
a new document 104 is about to begin. Separator page 2601 makes it possible for 
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the user to queue several documents for MFP 100 to scan in one stack. In one 
embodiment, separator page 2601 is an easily produced sheet of paper with a 
printed machine-readable indicator such as a barcode 2602. Separator page 2601 
may be similarly formatted as a collection coversheet. Alternatively, separator 
page 2601 may be any kind of separator identifiable by MFP 100. 
[0078] According to one embodiment, MFP 100 scans each input page for 

a machine-readable indicator. When separator page 2601 is scanned, MFP 100 
reads barcode 2602, recognizes that it is a separator page 2601, and begins to 
store subsequently input pages as a separate document 104. 

Adding to an Existing Collection 

[0079] When a user wishes to add documents 104 to an existing collection 

105, the user provides a DRI to identify the existing collection 105. The user can 
indicate to which collection 105 to add documents 104 by inputting the DRI 
manually, or by providing a coversheet 102 including a machine-readable 
indicator of the DRI. The advantage of having a machine-readable DRI 
identifying the collection 105 is that MFP 100 or any device that can locate and 
decode machine-readable codes can determine which collection 105 is 
represented by the coversheet 102. There are many other methods for presenting 
the MFP 100 with a machine-readable DRI, and those methods and techniques 
are not enumerated here because they are understood by those skilled in the art. 
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Determining Collection Organization and Hierarchy by Document Order 
[0080] In one embodiment, the user need not explicitly specify, via a 

control panel 106 or other user input device, operations such as creating new 
collections 105 or adding to existing collections 105. Instead, the order in which 
documents 104 are presented to MFP 100 determines which task will be 
performed. In this manner, the user is not required to explicitly specify an action; 
rather, he or she merely provides the documents 104 in a particular order, and 
MFP 100 automatically performs the desired action based on the order. 
Accordingly, collection 105 organization and hierarchy are specified by 
document 104 order. 

[0081] Referring now to Fig. 8, there is shown a flow chart depicting an 

example of a method for determining collection 105 organization and hierarchy 
by document 104 order. One skilled in the art will recognize that the particular 
configuration and method of Fig. 8 is merely exemplary, and that MFP 100 can be 
configured to perform different actions in response to document order, and in 
response to the presence or absence of a DRI. 

[0082] In the example, MFP 100 determines whether to create a new 
collection 105 or add to an existing collection 105 by determining whether the 
first presented document 104 of a group of one or more documents 104 contains 
a DRI. If the first document 104 contains a DRI, the document 104 and 
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subsequent documents 104 are added to the collection 105 identified by the DRI. 
If the first document 104 does not contain a DRI, a new collection 105 is created, 
and the document 104 and subsequent documents 104 are added to the new 
collection 105. 

[0083] Part A. In Part A of the method, MFP 100 receives 2704 a first 
document 104. If, in 2705, MFP 100 finds no machine-readable DRI, MFP 100 
assumes that the user wishes to create a new collection (steps 2708 to 2710); for 
illustrative purposes, this new collection is referred to as collection 105D. MFP 
100 creates 2708 a new collection 105D, obtains 2710 a new DRI from collection 
server 108 for collection 105D, and adds 2709 first document 104 to collection 
105D. MFP 100 then proceeds to Part B of the method, as described below. 
[0084] If, in 2705, MFP 100 finds that the first document 104 does contain a 
DRI, MFP 100 assumes that the user wishes to add to an existing collection; for 
illustrative purposes, this existing collection is referred to as collection 105E. MFP 
100 retrieves 2711 collection 105E identified by the DRI from the collection server 
108. Additional documents 104, processed in Part B as described below, are 
added to collection 105E. 

[0085] PartB. Part B proceeds as follows. MFP 100 determines 2712 

whether any more documents 104 are presented. If not, the method ends 2718. If 
any documents are presented, MFP 100 receives 2713 the next document 104 and 
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determines 2714 whether a machine-readable DRI can be found on this 
document 104. If no machine-readable DRI can be found, the document 104 is 
added 2715 to collection 105D or 105E. 

[0086] If, in 2714, MFP 100 does find a machine-readable DRI on the 

document 104, then MFP 100 retrieves 2716 the collection identified by the DRI 
from collection server 108; for illustrative purposes, this collection is referred to 
as collection 105F. MFP 100 then adds 2717 collection 105F as a subcollection to 
collection 105D or 105E. The overview image of the collection 105F is retrieved 
and added as a thumbnail to collection 105D or 105E, and the subject or title of 
collection 105F is used as the title for the thumbnail. For example, if a user 
presents a stack of documents containing a first document 104 followed by a 
second document 104, followed by a coversheet 102, the MFP 100 would create a 
new collection 105D, populate the new collection 105D with the first two 
documents 104, and add the collection 105F identified by the DRI on the 
coversheet as a subcollection. 

[0087] After completing step 2715 or 2717, MFP 100 returns to step 2712 to 

determine whether more documents 104 are presented. If so, each document is 
received and processed as described above. When no more documents 104 are 
presented, the method ends 2718. 
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[0088] Referring now to Figs. 3 and 4, there are shown two examples of 

document sequences that dictate particular actions to be performed by MFP 100. 
In Fig. 3, documents 104A through 104E are provided in a stack, with document 
104A being presented first. It is assumed, for illustrative purposes, that MFP 100 
receives the documents 104 in a top-down order; however, the documents 104 
could instead be received in a bottom-up order. First document 104A includes a 
DRI 504A, causing MFP 100 to access existing collection 105A identified by DRI 
504A. Documents 104B and 104C are then added to existing collection 105 A; in 
one embodiment, documents 104B and 104C are placed in a new subcollection 
which in turn is added to existing collection 105 A. Document 104D includes DRI 
504B, causing MFP 100 to include, in collection 105 A, the collection 105B 
identified by DRI 504B. As described above, collection 105B can be included as a 
subcollection of collection 105 A, or alternatively the individual documents (not 
shown) of collection 105B can be included in collection 105A. Then, MFP 100 
proceeds to add document 104E to collection 105A. Once the appropriate 
documents 104B, C, E, and the collection 105B, have been added to collection 
105 A, collection 105A is stored in collection server 108. 

[0089] In Fig. 4, documents 104H through 104M are provided in a stack, 

with document 104H being presented first. First document 104H does not 
include a DRI. This causes MFP 100 to create a new collection 105C. Documents 
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104H through 104M are then added to new collection 105C, and collection 105A 
is stored in collection server 108. 

Annotations 

[0090] In one embodiment of the invention, a user can annotate collections 

105 in several ways, for example by using electronic drawing tools or by marking 
directly on coversheets 102. If the user has requested an opportunity to add 
annotations, the MFP 100 can present a canvas and an object-based drawing tool 
like those found in Microsoft's PowerPoint software or Adobe Illustrator or 
similar programs. A user may also mark directly on a coversheet 102 with a 
conventional writing implement such as a pen, either to indicate commands to 
the MFP 100 or to make annotations as desired in the overview area 506 or in the 
note-taking space 508. MFP 100 detects such annotations and performs the 
requested operation: either by performing specified commands, adding the 
annotations to the appropriate documents 104 within collection 105, or adding a 
new document 104 including the annotations. 

[0091] Referring now to Fig. 9, there is shown a flowchart depicting a 
method for detecting and processing user-added annotations made on a 
coversheet 102, according to one embodiment. One skilled in the art will 
recognize that the various steps depicted in Fig. 9 can be performed in any order, 
and that the invention is not limited to the particular order depicted. 
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[0092] MFP 100 scans 2802 collection coversheet 102, reads 2803 the DRI 

on coversheet 102, accesses 2805 collection 105 identified by the DRI, and detects 
2804 the presence of annotations. Various methods of detecting marks on a 
document are known in the art and have been described in related cross- 
referenced applications. In one embodiment, MFP 100 automatically detects 
notes when a coversheet 102 is scanned, and MFP 100 optionally automatically 
continues the process to add notes to collection 105. 

[0093] Although the exemplary method is described in terms of detecting 

annotations on coversheet 102, other mechanisms for receiving annotations from 
a user may be employed. For example, in another embodiment, the user can 
request, via a command entered on control panel 106 or other input device, an 
opportunity to add notations. This option may also be provided as a prompt by 
MFP 100, either automatically or in response to certain predefined conditions 
(such as previously received notations, previously set user preferences, or any 
other condition). If the user indicates that he or she wishes to add annotations, 
he or she can do so via control panel 106 or other input device. Annotations can 
also be input via e-mail transmission, fax transmission, or any other 
communication method. For example, a user can fax to MFP 100 an image of a 
coversheet 102 including annotations. 
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[0094] MFP 100 extracts 2806 the annotations from the coversheet. In one 

embodiment, extracting 2806 the annotations includes imaging the entire 
coversheet; alternatively, MFP 100 can image only the notes area 508 of 
coversheet 102. If notes area 508 has lines to facilitate note-taking, the MFP 100 
optionally removes those lines from the image. If desired or appropriate, the 
image is processed using optical character recognition (OCR) or other methods 
for ascertaining the content of the image. Alternatively, the image may be 
retained in bitmapped form with no processing, or it may be converted to a 
graphical description language such as Scalable Vector Graphics (SVG) or 
PostScript. In one embodiment, the user is given an opportunity (via control 
panel 106 or other input/ output means) to select whether the image should be 
processed and how. The image can be appropriately time and date-stamped, 
and/ or additional information (such as authorship) may be added. MFP 100 
then adds 2807 the image of the extracted notes to collection 105; the image may 
be added as a separate document 104, or it may be added to an existing 
document 104, or it may be added in such a manner that it is not part of any 
document 104 but is visible in overview 506 for collection 105. Alternatively, 
MFP 100 can add the image to an existing document 104. 

[0095] In one embodiment, annotations are added to a collection 105 and 

not to a document 104 within the collection. When annotations are added to 
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collection 105 via notes area 508 of coversheet 102, the annotations are added as 
an image in collection 105. The notes are not part of an existing document 104, 
although they may be associated with a document 104 either by proximity on 
coversheet 102 or by an indication that the notes were added to collection 105 
soon after the document 104 was added. 

Limiting Access Permissions Through Differentiated Collection Identifiers 
[0096] In one embodiment of the invention, MFP 100 provides the 

capability to generate a coversheet 102 that grants limited permission to access a 
collection 105. For example, in response to a user's request, MFP 100 can provide 
a coversheet 102 that grants "read-only" or "add-only" access. A coversheet 102 
granting "read-only" access allows the recipient of the coversheet 102 to read, 
view, share, or print a collection 105 but does not allow the recipient to modify 
the collection 105. A coversheet 102 granting "add-only ,, access allows the 
recipient to add documents 104 (and/ or other media) to the collection 105 but 
does not allow the recipient to access any of the documents 104 already in the 
collection 105. In one embodiment, a recipient of an add-only coversheet 102 is 
therefore unable to modify documents 104 he or she has added to collection 105; 
the level of access is akin to a "drop-box". One skilled in the art will recognize 
many different levels and types of access can be granted, including for example: 
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[0097] - administrative-level access (allows a user to change access levels 

for other users); 

[0098] - read-only (allows a user to view, read, listen, watch, print, fax, or 

email); 

[0099] - insert- (or add-) only (allows a user to add new documents and 

annotations); and 

[01 00] - edit/ delete (allows a user to move and resize documents, change 
annotations, delete documents, and delete annotations). 

[0101] In addition, in one embodiment a "filter" mode is available, which 

causes an access level of a subcollection to be inherited from (or limited by) the 
access level of the containing collection. 

[0102] In one embodiment, a collection identifier (such as a DRI) specifies 

a level of access, for example by providing a particular path to a collection 105 
that implicitly includes the access specification. In addition, different collection 
identifiers can be provided for a particular collection, each collection identifier 
specifying a different level of access. Such functionality may be implemented, in 
one embodiment, using techniques analogous to Unix file system permissions 
and symbolic links. Each data file in a Unix file system has at least one pointer to 
the file stored in a directory. Links can be created which exist in other directories 
or perhaps in the same directory but with a different name. These links point to 
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the exact same data on the disk as the original file, but have different metadata. 
That metadata includes the filename and full pathname, as well as file 
permissions. Unix files can be given restricted access that limits or allows certain 
individuals to read or write the file. A file can be set up so that it can be read, 
written, or deleted by anyone. The same file, through a link, can be given a more 
restrictive set of permissions, perhaps only letting one or a few people read the 
file and letting no one delete it. Even though two different pointers point to the 
same data, the particulars of the access level for the data depends on the 
restrictions specified in the pointers, not in the data. 

[01 03] Thus, in one embodiment MFP 100 can create multiple coversheets 

102 allowing different access levels for a particular collection 105 or document 
104. For example, a full access coversheet 102 can be generated as well as a 
coversheet 102 that grants limited access. The collection identifier or DRI 
printed on the full access coversheet 102 points to a directory via a path that 
allows full access to collection 105, while the collection identifier or DRI printed 
on the limited access coversheet 102 points to the directory via a different path 
that allows limited access to collection 105. As described in more detail below, 
an "-access-" file specifies different access privileges based on the path used to 
access the directory. 
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[0104] In one embodiment of the present invention, collection server 108 
maintains a mapping between collection identifiers and collection 105 locations, 
and further maintains records to indicate the access permission level for each 
collection identifier. When an MFP 100 requests a particular type of access using 
a collection identifier, collection server 108 determines whether the identifier 
allows the requested access, and responds accordingly. Alternatively, collection 
server 108 can provide access permission information to MFP 100, and MFP 100 
can make the determination as to whether to process with the request. 
[01 05] In one embodiment, the multiple access level techniques described 

herein are combined with secure access techniques described in related U.S. 

Patent Application No. titled "Physical Key for Accessing a Securely 

Stored Digital Document/' filed , the disclosure of which is incorporated 

by reference. Thus, physical keys can be printed or otherwise generated, 
wherein each physical key contains a collection identifier that identifies an access 
level. Different physical keys can provide different access levels for the same 
collection 105 or document 104. The physical key can then be used to initiate 
decryption of the referenced document 104 or collection 105, and can enforce the 
specified level of access to the decrypted document 104 or collection 105. For 
add-only access, the physical key can permit encryption of newly added 



Case 7973 - 37 - 

20412/07973/ DOCS/1367371 .5 



documents 104 without permitting decryption or reading of the document 104 or 
collection 105. 

[01 06] Referring now to Fig. 6, there is shown one possible approach for 

maintaining access level information. As shown in Fig. 6, such information can 
be kept in -access- file 1101. -access- file 1101 is located in directory 1103, which is 
pointed to by collection identifiers 2404C, D, and E. Directory 1103 also includes 
subdirectories such as 2401 (and others). Each subdirectory 2401 in directory 
1103 includes a different version of collection 105. 

[01 07] Collection identifiers 2404C, D, and E provide different levels of 

access to documents 104 of collection 105. Such an arrangement requires no 
duplication of data; specifically, the collection information and files are stored at 
the same location. Each new version of collection 105 is stored in a separate 
subdirectory 2401 within directory 1103 pointed to by collection identifiers 
2404C, D, and E. In the example shown, the file that stores access level 
information is referred to as "-access-", although any filename or file format can 
be used. In one embodiment, this file is stored in the same directory 1103 as the 
subdirectory 2401 containing documents 104 and other files; in another 
embodiment it is stored subdirectory 2401 (and/ or other subdirectories) itself. 
[01 08] In one embodiment, -access- file is stored at server 108, and is never 

transmitted or revealed in full. Rather, server 108 only transmits or 
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communicates that portion of the -access- file that is relevant or needed for a 
particular access request; alternatively server 108 consults the -access- file and 
allows or denies the requested access accordingly. In one embodiment, server 
108 provides an API allowing authorized individuals to selectively edit the 
-access- file or portions thereof. 

[01 09] Several collection identifiers, or DRIs, can point to the same 

subdirectory 2401. As shown in Fig. 6, three unique collection identifiers 2404C, 
2404D, and 2404E point to the same subdirectory 2401. -access- file 1101 specifies 
access levels corresponding to identifiers 2404C, 2404D, and 2404E. Directory 
2401 contains various files accessible according to the specified access levels. In 
one embodiment, -access- file 1101 is an Extended Markup Language (XML) file 
specifying permitted operations on files in subdirectory 2401. An example of an 
excerpt of an -access- file 1101 is as follows: 

<?xml version= f, l . 0" encoding="UTF-8 " ?> 

<accesscontrol 
identityhash= ,! b44b689d57f0a37e7da6855feaa792bd" > 

<access dri="/-msg- 
/touchverse/602270el0ae23143483c5324adl0ae26/ M 
rights= l! aried"> 

<access dri="2/TargetARepl . jpg" rights="r" /> 
</access> 
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<access dri="/-msg- 
/touchverse/7f033ef5f460f 9aed3483d77f 74f 377c/" rights="r" 
/> 

<access dri="/-msg- 
/touchverse/alefc714aca292a3c7407961f44d6034/" rights=" "> 

<rect rights="rf" x="0" y="0" width="600" 
height="200 n /> 

<polygon right s="i n point s=" 200, 0 350,0 
350,600 200,600" /> 
</access> 

<access dri= " / -msg- 
/touchverse/7cd0b356d7cf 69f 7e8f2a7ecd0f 4003d/ " rights= !I i n > 

<halfplanes rights="rf" lines= n 0, -1,200" /> 
<!-- Can append only if y >= 2 00 --> 

</access> 

<access dri="/-msg- 
/touchverse/c9b7e5aa318b59acad4ca5e36463c2ac/" rights =»i" 
> 

<access dr i = "* /overview. jpg" rights= !, r" /> <!- 
- Read access to overview image --> 
</access> 
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<access dri="/-msg- 
/touchverse/4dbc87ae4854ce964b89275936e71306/ n rights ="rf" 
> 

<map orig="/-msg- 
/touchverse/c33c235bea8ce75309f722b37d82cbb2/'' 

new="/-tnsg- 

/touchverse/6403cdd5dcde5cc3f 6ed8efb25c2105b/" /> 
</access> 

</accesscontrol> 
[0110] An example of an element in -access- file 1101 that would provide 
full access is as follows: 

<access dri="/-nisg- 
/touchverse/602270el0ae23143483c5324adl0ae2 6/ ,! 
right s= ,! areid" /> 

[0111] The "rights" parameter includes letters a, r, e, i, d, indicating 

admin, read, edit, insert, and delete rights. 

[01 12] An example of an element in -access- file 1101 that would provide 
read-only access is as follows: 

<access dri="/-tnsg- 
/touchverse/7f 033ef 5f460f 9aed3483d77f 74f 377c/" rights="rf » 
/> 



Case 7973 -41- 

20412/07973/DOCS/1367371.5 



[01 1 3] The " rights" parameter includes the letter r indicating read rights. 
The "rights" parameter further indicates (via the f) that the specified access rights 
should filter down into subcollections and other items contained within the 
collection. Subcollection rights are masked by the main collection's access rights; 
thus if the main collection's access rights specify read-only access, the 
subcollection cannot be given edit, insert, or delete rights. Thus, individual 
documents (or subcollections) within a collection are given the more restrictive of 
1) a particular access level for that document or subcollection; and 2) an access 
level for the containing collection. Determination of an access level can be 
performed on-the-fly, in response to a user's attempt to access the document or 
subcollection, as described in more detail below. 

[01 14] In general, only an individual with "admin" access can change 

-access- file 1101. Changes are made through a server API, so that the server 
does not need to reveal the entire -access- file, and security is maintained. By 
default, new layers are given the same access permissions as previous layers. 
[01 1 5] -access- file 1101 can specify access levels for an entire collection, or 
for subcollections, or for individual files or regions within a collection. In 
general, an access level associated with a more specific DRI takes precedence 
over an access level associated with a less specific DRI. For example, if a "read" 
access level is specified for a collection DRI, and an "edit/ delete" access level is 
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specified for a DRI of an individual file within that collection, the "edit/ delete" 
access level takes precedence, so the user can edit or delete the file. Similarly, if 
no access level is specified for a collection, but "read" access is specified for a 
region within the collection, the user can read documents within that region. 
However, if the "filter" attribute is set, the access level for a subcollection or 
individual item may be limited by the access level for the containing collection. 
[0116] As discussed above, in general server 108 never reveals or 
transmits the entire -access- file; rather, only the <accesscontrol> element and 
<access> elements related to a specific collection or request are given out. For 
example, consider the following excerpt of an -access- file: 

<?xml version="l . 0" encoding == "UTF- 8" ?> 

<accesscontrol 
identityhash="b44b689d57f 0a37e7da6855feaa792bd" > 

<access dri = H /-tnsg- 
/touchverse/602270el0ae23143483c5324adl0ae2 6/ n 
right s= 11 aried" > 

<access dri="2/TargetARepl . jpg" rights="r" /> 
</access> 

<access dri= lf /-msg- 
/touchverse/7f 033ef 5f460f 9aed3483d77f 74f377c/ n rights="rx n 
/> 
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<access dri = "/-tnsg- 
/touchverse/alef C714aca292a3c7407961f 44d6034/ ,! rights=" "> 

<rect rights="r" x="0" y="0" width="600" 
height="200" /> 

<polygon rights= n i" points="200 / 0 350,0 
350,600 200,600" /> 
</access> 

<access dri = " / -msg- 
/touchverse/7cd0b356d7cf 69f 7e8f2a7ecd0f 4003d/ " right s= 11 i" > 
<halfplanes rights="r" lines= n 0, -1, 200" /> <!- 
- Can append only if y >= 2 00 --> 

</access> 

<access dri="/-msg- 
/touchverse/c9b7e5aa318b59acad4ca5e36463c2ac/ n rights ="i" 



<overview dr i=" 2 /overview. jpg" rights="r" /> 
<!-- Read access to overview image 
</access> 
</accesscontrol> 



> 



[0117] 



When a client attempts to access the collection using a DRI such as 



/-msg-/touchverse/c9b7e5aa318b59acad4ca5e36463c2ac 
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[0118] server 108 returns the following portions of the -access- file: 

<?xml version= !l l . 0" encoding= n UTF-8" ?> 

<accesscontrol 
identityhash="b44b689d57f0a37e7da6855feaa792bd n > 

<access dri= n /-msg- 
/touchverse/c9b7e5aa318b59acad4ca5e36463c2ac/»' rights ="i" 
> 

<overview dri = "2/overview. jpg n rights= ,! r n /> 
</access> 
</accesscontrol> 

[0119] The client now has the identifier for the collection, as well as 
information specifying the particular documents 104 or other objects it is 
permitted to access. <access> elements for other collection identifiers are not 
given out, since they are not needed by the client. 

[01 20] Avoiding transmission of the entire -access- file improves the 

overall security of the system. Some systems which have multiple servers are set 
up so that each server knows about all the other servers. If the system is 
configured so that the servers "trust" one another, they can share sensitive 
information. However, such configurations are vulnerable to security exploits 
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where a computer masquerades as a trusted server or a computer listens in on 
communications between trusted servers and captures the sensitive information 
exchanged between those servers. 

[0121] The technique described herein avoids this problem. By 
configuring servers so that they minimize the exchange of sensitive information, 
such security exploits can be minimized or eliminated. A policy of never giving 
out the -access- file serves this function. Since, in one embodiment, server 108 
does not give out the entire -access- file, the present invention can be securely 
implemented even when it is used in conjunction with untrusted servers. 

[0122] Individual files, subcollections, or other elements can be given 

different access levels than their containing collections. In one embodiment, 
<access> elements in -access- file 1101 are arranged in a tree structure that maps 
to the directory structure of the collection, thus providing a representation of the 
collection hierarchy. Wildcards (*) in DRI paths indicate that a particular access 
level applies to a file in multiple directories. The following example of an 
excerpt of an -access- file 1101 illustrates these concepts: 

<access dri= n /-nisg- 
/touchverse/602270el0ae23143483c5324adl0ae26/ M 
rights="aried"> 
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<access dri="*/TargetARepl . jpg" rights="r" /> 
</access> 

[0123] The above excerpt sets the rights for the directory at "aried" 
(specifying admin, read, insert, edit, and delete access rights), and sets the access 
rights for the TargetARepl.jpg file at "r" (specifying read access rights). 
[01 24] Some files in a collection contain the DRI of that collection 105. For 
instance, in one embodiment, both the TVM file (which describes all of the 
documents 104 in the collection 105) and the SVG file (which provides the 
graphical layout of the collection 105) may contain references to the DRI as well 
as to DRIs of other collections 105. 

[0125] In general, DRIs are modified before providing the files to a client. 

Specifically, each TVM file contains the DRI of the collection 105 that it 
represents. This DRI corresponds to the DRI that was used to access the TVM 
file. When collection server 108 provides the TVM file to a client, the DRI 
contained in the TVM file is rewritten to be that of the DRI that the client already 
knows. 

[0126] If the "f" attribute is active, and the TVM file contains a reference to 
a collection 105 that has more permissive access permissions than the containing 
collection 105, a new collection 105 is created with restricted permissions, and the 
TVM file is rewritten to reflect the restricted collection 105 instead of the 
permissive collection 105. 
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[01 27] When a new restricted access DRI is created, -access- file 1101 
includes <map> elements to map the original DRIs to the new restricted access 
DRIs so that the correct level of access is provided. 

[01 28] In one embodiment, a single collection 105 can have multiple 
permission regions 1201, specified for example according to region within 
collection overview 506. Referring now to Fig. 12, there is shown an example of a 
collection 105 having multiple permission regions. Collection overview 506 is 
divided into two permission regions 1201A, 1201B defined by reference to a 
horizontal line 1202 at a coordinate position of y = 200. An item whose top-left 
corner is located in region 1201 A above line 1202 carries read-only permissions, 
while an item whose top-left corner is located in region 1201B below line 1202 
carries insert-only permissions. Thus, in the example shown, documents 104N, 
104P, and 104Q would carry read-only permissions, while document 104R would 
not be readable since it lies within the insert-only region 1201B. (In one 
embodiment, document 104R would not be shown on coversheet 102, since that 
document 104R is not readable by the possessor of that coversheet 102.) Of 
course, these access limitations would apply only to a user using a DRI 
associated with the particular -access- file that specifies such limitations; a user 
using another DRI might have a different set of access permissions. 
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[0129] An example of an <access> element for specifying access levels as 

shown in the example of Fig. 12 is as follows: 

<access dri="/-msg- 
/touchverse/alefc714aca292a3c7407961f44d6034/ n rights=" " > 

<rect right s="rf" x= l? 0" y="0" widths" 600 11 
height= ,! 200 n /> 

<polygon rights="i" points="200, 0 350, 0 350, 600 
200,600" /> 

</access> 

[01 30] Another example of an <access> element specifying a similar 

configuration of access levels is as follows: 

<access dri= " / -msg- 
/touchverse/7cd0b356d7cf 69f 7e8f 2a7ecd0f 4003d/ n rights= !l i" > 
<halfplanes rights= M r" lines="0 , -1 , 200 " /> 

</access> 

[0131] The < ha 1 f p 1 ane s > element specifies a half-space within the two- 
dimensional region of the overview image, using a coordinate system wherein, 
for example, the (0,0) point is in the upper left comer of the overview image. 
Referring again to Fig. 12, the SVG file that specifies the layout of overview 506, a 
width and height is specified. For purposes of illustration, the width and height 
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are 600 units and 350 units, respectively. The <half planes> element specifies 
a dividing line 1202 at y = 200 using an equation Ax + By + C(in this example, 
A = 0, B = -1, and C = 200.) Any (x,y) pair which, when plugged into this 
equation, returns a value which is less than 0 is considered out of the halfplane. 
For instance, (20, 210) produces a value of -10 and is not in the halfplane 
specified by the <half plane s> element, but (0, 0) returns a value of 200 and is 
therefore within the halfplane. Thus, it can be determined whether any 
particular object is within the region defined by the <halfplanes> element. 
[01 32] Referring now to Fig. 11, there is shown a flowchart of a method of 

determining an access level according to region. The bounding box for a 
document 104 or other target is determined 1301; in one embodiment, this may 
be the smallest rectangle that completely encloses the document 104 
representation in overview 506. The variable " point" is defined 1302 as the top- 
left corner of the bounding box. 

[01 33] In steps 1303 through 1306, access regions 1201 are consulted in 
turn, to determine which one contains point. An access region 1201 is consulted 
1303, and a determination is made 1304 as to whether point lies within region 
1201. If so, the defined region access permissions for region 1201 are assigned to 
the target. If point does not lie within region 1201, and more regions 1201 exist 
1306, the next access region 1201 is consulted 1303. If point does not lie within 
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region 1201, and no more regions 1201 exist 1306, permissions are assigned 1307 
based on a default for collection 105. 

[01 34] As discussed above, the 'f or "filter" access parameter prevents 

documents or sub-collections within a main collection from having access rights 
that are higher than those of the main collection. For example, if a main 
collection has access rights of read-only, documents or sub-collections within 
that collection could have full permissions only if the filter parameter were 
turned off, or if a higher access permission is specified for a particular document 
or sub-collection in the -access- file. 

[01 35] When the filter parameter is specified, sub-collection and document 

access rights are masked by the rights associated with the main (containing) 
collection). Thus, the access rights for the sub-collection or document would be 
the more restrictive of a) the access rights specified for that sub-collection or 
document; and b) the access rights of the main (containing) collection. 
[01 36] In one embodiment, a new version of the sub-collection or 

document is created on-the-fly when needed. Thus, for example, if a main 
collection specifies read-only access, and the filter parameter is specified, the 
system of the present invention would create a read-only version for any 
document or sub-collection within that main collection that does not already 
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have a read-only version. In one embodiment, such a version is created only in 
response to an attempt to access the document or sub-collection. The DRI for the 
new version is then provided by server 108 so that a client can access it at the 
appropriate access level. 

[01 37] For example, suppose a coversheet 102 is presented that indicates 
read-only access for collection A. If collection A contains subcollection B, and the 
available DRI for subcollection B points to a collection with unrestricted access, a 
new read-only pointer for subcollection B is generated. Server 108 adds a <map> 
element to the -access- file for collection A, indicating that read-only access to 
subcollection B is available via the new DRI. Then, server 108 responds to the 
request for collection A by providing the read-only pointer to subcollection B. 
TVM and SVG files are rewritten as needed to point to the new DRI. 
[01 38] In one embodiment, a user can create a more restricted version of a 

collection only by copying the collection and assigning the more restricted access 
level to the copy. In another embodiment, the user can create a new DRI that 
corresponds to the original collection but is more restrictive in the access it 
allows. 

[01 39] In one embodiment, an identityhash attribute is provided as a 

unique collection identifier available to all clients, regardless of their access 
privileges and regardless of the DRI they use to access the collection. The 
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identityhash attribute allows clients to determine if two different DRI's point to 
the same collection. Clients are thereby able to delete redundant DRTs, 
particularly when more than one DRI points to the same collection (either with 
the same or with different access levels). In addition, the identityhash attribute 
allows remote servers to build an -access- file without requiring them to have 
access to the entire -access- file. 

[01 40] When a client accesses a collection using a DRI, the client is given 
or can request the identityhash value of that collection from the server. If the 
identityhash matches that of another collection with a different DRI that the 
client is already aware of, then the client can determine that both DRIs point to 
the same collection. This is especially useful for remote servers. If several clients 
request collections through a remote server, the server can determine which DRIs 
point to the same collections. It is convenient and efficient for the server to 
merge all DRIs that point to a single collection. Such a technique also saves space 
on the server. In order to merge multiple DRIs into a single collection, the server 
creates a link from all DRIs to the one directory that contains the files and 
subdirectories in the collection, merges the -access- file entries, and creates 
<map> elements in the -access- file. 
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[01 41 ] Referring now to Fig. 10A, there is shown a flowchart depicting a 

method for creating limited access coversheet according to one embodiment. 
The method is described in the context of granting levels of access to collections 
105 of documents 104 via paper coversheets 102. One skilled in the art will 
recognize many variations are possible in light of this description without 
departing from the principles of this invention. In particular, the various steps 
depicted in Fig. 10A can be performed in any order, and the invention is not 
limited to the particular order depicted. 

[01 42] MFP 100 creates 2902 a new collection 105 or accesses an existing 

one. In response to a user's request, MFP 100 obtains 2903 a DRI corresponding 
to each distinct access level. For example, if the user requests a coversheet 102 
that allows add-only access and a second coversheet 102 that allows read-only 
access, MFP 100 would obtain a DRI for each of the two access levels. In one 
embodiment, each DRI is obtained from collection server 108; alternatively, DRIs 
may be retrieved from local storage based on previously obtained data. 
Preferably, DRIs cannot be derived from one another. Thus, an individual who 
has been granted one level of access, and is therefore in possession of a DRI for 
that access level, cannot easily determine or guess the DRI for another access 
level. 

[0143] In one embodiment, step 2903 includes the following substeps: 
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[01 44] - server 108 receives request for new DRI based on existing DRI; 
[0145] - server 108 creates new DRI and links it to existing DRI; 

[0146] - server 108 modifies -access- file by adding elements 

corresponding to new DRI with correct permissions; 
[01 47] - server 108 provides new DRI to client. 

[0148] Then, for each requested access level, MFP 100 outputs 2904 a 
coversheet 102 containing the DRI corresponding to the access level; 
alternatively, MFP 100 can email the DRI or otherwise output or transmit it 
without necessarily generating a coversheet 102. In one embodiment, MFP 100 is 
configured to generate certain types of coversheet 102 by default. For example, if 
an add-only coversheet 102 is requested and no other coversheet 102 is 
requested, MFP 100 may, by default, generate a full-access coversheet as well. 
This would prevent a situation wherein the add-only DRI is the only DRI output, 
and no DRI to a version that permits reading is known, so that nobody would 
have permission to read the added documents. In another embodiment, MFP 
100 may prompt the user to confirm a choice that would potentially lead to such 
a problem. Such confirmation may be obtained, for example, by presenting an 
" Are you sure?" dialog box on control panel 106 or other user interface. 
[0149] Once a limited limited-access coversheet is created, it can be used 
to access collections. Referring now to Fig. 10B, there is shown a flowchart 
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depicting a method for using limited-access coversheets 102 to access collections 
105. One skilled in the art will recognize that the various steps depicted in Fig. 
10B can be performed in a sequence other than that depicted, and that the 
invention is not limited to the particular order shown in the Figure. 
[01 50] MFP 100 scans 2907 coversheet 102 (or otherwise receives an image 

representing a collection) and reads 2908 the DRI. The DRI identifies a version of 
a collection 105 with a given level of access. MFP 100 uses the DRI to retrieve 
2909 the version of the collection 105 identified by the DRI from collection server 
108. In response to receiving 2913 a user's request to perform an action with 
respect to the collection 105, the MFP 100 determines 2910 whether the action is 
permitted by either: a) transmitting the request to collection server 108 so that 
server 108 can determine whether the action is permitted; or b) using the access 
metadata from collection server 108 to determine whether the action is permitted 
2910; or c) performing some other operation for determining whether the action 
is permitted given the level of access permitted by the DRI. If the action is 
permitted, MFP 100 executes 2911 the action on the documents 104. If the action 
is not permitted, MFP 100 denies 2914 the action, and in one embodiment 
indicates the denial to the user via control panel 106 or other output device. 
[0151] In one embodiment, allowance or denial of the action can take place 

at server 108 rather than (or in addition to) taking place at MFP 100. Thus, even 
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when MFP 100 fails to block an unauthorized action from taking place, server 108 
can deny the action if it is determined that the level of access specified by the DRI 
does not permit the requested action. For example, if MFP 100 accepts a newly 
scanned document 104 for addition to collection 106, and server 108 determines 
that the DRI presented only permits read-only access, server 108 denies the 
addition, and transmits a message to MFP 100 so that MFP 100 can communicate 
the denial to the user. 

[01 52] In one embodiment, the techniques described herein are combined 

with techniques for providing limited permission overview regions as described 

in related U.S. Patent Application No. titled "Method and 

Apparatus for Composing Multimedia Documents/ 7 filed , the 

disclosure of which is incorporated by reference. For example, the related 
application provides additional description and Figures depicting collection 
coversheets having various permission levels. One skilled in the art will 
recognize that the above-described techniques can also be combined with other 
techniques set forth elsewhere in this disclosure and/ or in related disclosures 
that are incorporated by reference. 

Additional Functionality 

[01 53] In some embodiments, the present invention is able to provide 
access levels that change or expire upon the occurrence of some predetermined 
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event. The following are examples of such functionality. Any of these features 
may be included alone or in combinations with one another and/ or with other 
functionality described above. 

[01 54] Modifying Access Levels. In one embodiment, authorized persons 
can modify a level of access of a collection 105. Such authorized persons may 
include, for example, document administrators,. In one embodiment, anyone 
who possesses a coversheet 102 that specifies "admin" access can perform such 
operations, including modifying access levels for others. In another 
embodiment, one or more specific individuals have this capability; known 
techniques of identity verification can be used to determine whether to grant 
// admin ,/ access to an individual. When the access level of a collection 105 is 
modified, collection server 108 modifies the access permissions information for 
collection 105 accordingly, and/ or assigns a distinct DRI to a version of the 
collection 105 that provides the specified access level. 
[01 55] Expiring Coversheets. In one embodiment, when a collection 
coversheet 102 is created, the user can specify that coversheet 102 will expire 
after a predetermined period of time, or after it has been used a predetermined 
number of times. Such a feature may be especially useful in applications where it 
is desirable to strictly control the number of copies of a document that are in 
circulation. After the expiry event takes place, server 108 denies access to the 
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document 104 or collection 105 referenced by the coversheet 102. In another 
embodiment, after the expiry event takes place (or upon occurrence of some 
other trigger event that has been previously specified), the access level associated 
with coversheet 102 changes to a more (or less) restrictive access level. 
[01 56] For example, a DRI on a coversheet 102 can initially allow full 

access, but upon occurrence of an expiry event or other trigger event, the 
"-access-" file can be changed so that the same DRI allows only read-only access. 
Examples of such trigger events include: review by a supervisor; suspected 
security breach; submission or filing; transmission of the document to an outside 
entity; or a deadline for changes. In one embodiment, MFP 100 tracks each 
access of collection 105, and further tracks which user is accessing the document. 
To do so, the MFP 100 may also require that a user of a coversheet 102 identify 
him- or herself in some manner, for example by password, name, biometric scan, 
or the like, in order to use the coversheet 102 to access the collection. The initial 
user that created collection 105, along with possibly other users possessing 
coversheets that allow "admin" -level acess, can specify whether such 
identification is required before access is granted. After the trigger event has 
occurred, MFP 100 may optionally notify (for example via e-mail) known 
possessors of coversheets 102 that their access levels have been changed or have 
expired. 
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[01 57] In one embodiment, the relevant variables for the event criteria are 

tracked in the metadata associated with the collection 105 or stored in a log. The 
log can be present in MFP 100, stored in collection server 108, or stored anywhere 
else that is accessible to the system. Maximum reliability and security can be 
achieved by storing the log in server 108 rather than in MFP 100 or in some 
unsecured location. In addition, the relevant event criteria may be printed on the 
coversheet. For example, coversheets 102 may be appropriately time- and date- 
stamped with their expiration dates using a machine-readable format, or human- 
readable format, or both. These date stamps can be compared with the present 
time when access is attempted, to determine whether coversheet 102 has expired. 
If access to collection 105 through coversheet 102 has not expired, MFP 100 
allows access. As another example, a coversheet may expire after a predefined 
number of copies have been made at MFP 100. 

[01 58] Identification Authentication. In one embodiment, a user 
presenting a coversheet 102 is required to verify his or her identity before being 
permitted to access the collection 105. The user that created the coversheet 102 
may specify that such authentication is required with respect to a particular 
coversheet 102. Identity authentication can be performed by password entry, 
biometric scan, or other techniques that are well known in the art. In addition, 
such functionality may be combined with the secure decryption key techniques 
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described in related U.S. Patent Application No. titled "Physical 

Key for Accessing a Securely Stored Digital Document," filed , the 

disclosure of which is incorporated by reference. 

[01 59] Additional Prerequisites. In one embodiment, MFP 100 requires 
certain conditions to be satisfied before it outputs a collection 105 or document 
104, even when coversheet 102 is presented. As discussed above, in one 
embodiment the user that created the coversheet 102 may specify that recipient 
authentication be required before collection 105 can be output or accessed. The 
present invention can also be combined with watermarking techniques, as 
described for example in the above-reference related patent applications, so that 
printed output of MFP 100 is traceable to a particular recipient. Alternatively, a 
different DRI can be used for each printed coversheet 102, so that the coversheet 
102 is directly traceable without the use of watermarks. 
[01 60] Blocked Access. From time to time, it may be desirable to block 
access to a collection 105, either permanently, or temporarily (such as while 
updating a collection 105). In one embodiment, an administrator (i.e. a user in 
possession of a coversheet 102 that includes a DRI permitting admin access) can 
request that access to one or more collections 105 be blocked, and can specify the 
time period during which it will be blocked. While access is blocked, server 108 
refuses to honor any coversheets 102 that have been issued for collection 105. In 
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one embodiment, control panel 106 (or other output device) can provide an 
explanation of the block to the user attempting access, and can optionally 
provide additional information such as an estimated time when the block will be 
lifted. 

[0161] Customized Level of Access by Document In one embodiment, in 

addition to providing the ability to specify an access level for a collection 105, the 
invention allows a user to specify individual access levels on a document-by- 
document basis within the collection 105. If the user selects this option, MFP 100 
presents, on control panel 106 or other display device, a list of documents 104 
within the collection 105 so that the user can individually specify the level of 
access for each document 104. Alternatively, the user can indicate on coversheet 
102 various access levels for different documents 104 within collection 105. MFP 
100 can then scan coversheet 102 and send a request to server 108 to apply the 
indicated access restrictions. The user can also specify the "filter" option, as 
described above, whereby a collection's access level applied is recursively 
applied to subcollections within the collection. 

[0 1 62] Denying Access Beyond Level Specified. In one embodiment, 
alternative methods and mechanisms exist for accessing collections 105 and 
documents 104, so that coversheets 102 are not the only method of obtaining 
access. Thus, if a coversheet 102 is lost or destroyed, or if the DRI is lost or 
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unreadable, it may still be possible to access the collection 105 associated with the 
coversheet 102 on an emergency basis. For example, a user may browse for a 
collection 105 using control panel 106, or may use conventional techniques for 
navigating to and selecting collections 105 and documents 104. 
[01 63] If security is desired, such alternative ways of gaining access to a 
collection 105 can be restricted to authorized administrators, system operators, 
and the like. In another embodiment, to maximize security, such alternative 
ways are eliminated, so that coversheet 102 is the only way to access a collection 
105 or document 104. Additional security can be provided by combining aspects 
of this invention with inventions described in related U.S. Patent Application No. 

titled "Physical Key for Accessing a Securely Stored Digital 

Document/' filed , the disclosure of which is incorporated by reference. 

[01 64] The present invention has been described in connection with a 
specific implementation of a typical embodiment thereof. It will be understood 
by those skilled in the relevant art that many changes can be made without 
departing from the true spirit and scope of the present invention. Therefore, it is 
intended by the appended claims to cover all such changes and modifications 
that come within the true spirit and scope of this invention. 
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